The ExcelWraps permissions model makes it easy to collaborate within and between organizational units, hiding irrelevant information while preserving the integrity and security of sensitive information.
This page serves as an overview of the various components of the permissions model and allows you to zoom in on the details that interest you.
Users have roles. Roles work like keys that open vital elements of the Wrapsite only to the right people. Roles are the most important part of the ExcelWraps permissions model.
You need one Role for each separate set of permissions. Some of the typical user roles are shop floor operatives, mechanical workers, electrical workers, supervisors, managers, clients, and suppliers. A user can have any number of roles, e.g. you may be both a shop floor worker and an electrical worker. There is a list of predefined user roles in the bottom sections of this page, and descriptions of other optional roles that you may create for your Wrapsite.
You can also dynamically assign Roles from a Competence Wrap using the UserRole function.
Each role has a set of permissions assigned to it that enables you to View, Create, Edit, and/or Delete content in the Wrapsite. If all your roles together don’t give you particular permission, you cannot perform the corresponding action. Your total set of permissions consists of all granted permissions for all roles that you have. You will be denied access to everything else.
Static content like web pages and blog posts on the Wrapsite have access controls that permit only particular user roles to manage the corresponding content. Read more about Wrapsite administration.
In the Content Management System (CMS), when the “Enable content item access control” checkbox is ticked, content owners are required to have both “All” and “Own” permissions to manage their content effectively.
Most of your work related to permissions and access control will be about protecting the data that is stored in the instances of the Wraps. The ExcelWraps permissions model uses Wrapgroups to grant permission to users in Workgroups to access Wraps and their instances according to each user’s Roles.
You define your Wrapgroups on your Wrapsite’s Administration > ExcelWraps > Wrap Groups page.
When you upload a Wrap the first time, it is made available only in the Default wrapgroup. If you have defined additional Wrapgroups, you can select the Wrapgroups that you want the Wrap included in.
Before you define additional Wrapgroups and Workgroups, the permissions for the Default Wrapgroup and the None Workgroup apply to all users. Below is an example of these permissions. These are the minimum permission settings that must be managed for any Wrapsite.
You can assign different permissions for each defined Role to View, Edit, Create, or Delete Wrap instances in the Wrapgroup.
You can have separate permissions for each user’s own instances, i.e. “created by me”.
The outermost scope for controlling permissions within ExcelWraps is the Wrapsite. From a web hosting perspective, we sometimes refer to this as the “Tenant”. A Wrapsite typically manages work within an independent division of a company.
User accounts are maintained separately per Wrapsite. There is no facility for users in one Wrapsite being granted access to resources in another.
Apart from being your primary vehicle to access Wraps and their instances, the Wrapsite is just like any other website. It has built-in features to create static web pages or add posts to a live blog that permits users to add comments. There is a media library and you can use menus for navigation within the website.
Learn how to change the Wrapsite settings on the Wrapsite administration help page.
Users are created per Wrapsite. A user is uniquely identified by their username (required) or their e-mail address (optional), both of which must be unique within the Wrapsite. A User has Roles and may belong to a Workgroup.
Learn how to change the User settings on the User administration help page.
Roles are used to control permissions on resources. Access to instances of a Wrap is granted by assigning View, Edit, Create or Delete permissions to individual Roles.
If a Role grants permission to a resource, then any User that has been assigned the role can access the resource as long as there are no other constraints for the user’s Workgroup.
Learn how to change the Roles settings on the User administration help page. You can also dynamically assign Roles from a Competence Wrap using the UserRole function.
Workgroups are used to subdivide Wrapsites into smaller groups. Use of them is not required, in which case only Role-based permissions are in play.
Workgroup A can trust Workgroup B. In this case, users in Workgroup B behave as if they are in Workgroup A, and can access resources according to their Roles.
Users within Workgroups can also access resources that do not belong to any Workgroup, in which case only Role permissions apply.
Learn how to change the Workgroup settings on the User administration help page.
Wrapgroups are used to group related Wraps so their access can be configured collectively. Access to instances of a Wrap is granted by assigning View, Edit, Create or Delete permissions to individual Roles. These can be assigned for both instances created by – and therefore owned by – a user, or for all users.
Additionally, a Wrapgroup can belong to a Workgroup. In this case, only users within this Workgroup – or a workgroup they trust – can access the Wrap instances in the Wrapgroup.
Learn how to change the Wrapgroup settings on the Wrap administration help page.
Learn more about the permissions model on the Wrapgroups and Workgroups help page.
Some administrative roles are related to the website itself.
Some operations on the wrapsite may be limited to special users with unrestricted access to all content. The predefined roles we use for this are
It is likely that you want to provide minimal access to the wrapsite until the user has been identified. We use these roles for this:
These roles control the creation of new content on the wrapsite.
When working with Wraps, users may be given different permissions depending on your organizational requirements.
If users inherit certain permissions from their organizational role, you may define roles for each level of permission. You may choose any name for these roles but we recommend that they always begin with “H-” for clarity, e.g.
If users have different access levels depending on their competences, you may define roles that match these competencies. You may choose any name for these roles but we recommend that they always begin with “C-” for clarity, e.g.
Some access control may be more related to a person’s function within the group. You may choose any name for these roles but we recommend that they always begin with “T-” for clarity, e.g.
To learn more about the permissions model, continue to the help page about Wrapgroups and Workgroups.
